More Related Content
Similar to Defending the Data Center: Managing Users from the Edge to the Application (20)
More from Cisco Security (15)
Defending the Data Center: Managing Users from the Edge to the Application
- 1. MANAGING USERS FROM THE EDGE TO THE APPLICATION
Russell Rice
Senior Director Product Management
Dec 5, 2012
© 2012 Cisco and/or its affiliates. All rights reserved. 1
- 2. 7.7 Billion In next 5 Years
Accessing Application and Data
Wi-Fi devices
© 2012 Cisco and/or its affiliates. All rights reserved. 2
- 3. • How do I classify so many devices
coming onto my network every hour?
• Do we have any visibility on those
devices connecting to our application
& data in DC?
• Virtual Machine Sprawl! How should
I manage security for all of those
VMs we are being asked to provision
everyday?
• My critical services are still running
on physical servers. Do I maintain
separate policies?
© 2012 Cisco and/or its affiliates. All rights reserved. 3
- 4. Simplifying network security and engineering
• Secure
Embeds security within the infrastructure
Enforcement based on rich contextual identify of users and systems
Solution simplicity enables end-to-end approach
• Efficient
Simplifies implementation of security policy
Highly scalable & Inline rate
Simplifies Data Center network design
• Demonstrable ROI
Reduces ACL and VLAN complexity & maintenance
Can automate Firewall policy administration
Can improve both performance & availability
© 2012 Cisco and/or its affiliates. All rights reserved. 4
- 5. Translating Business Policy to the Network
TrustSec lets you define policy Context Classification
in meaningful business terms
Business Policy
TAG Security Group Tag
Destination HR Database Prod HRMS Storage
Source
Exec BYOD X X X Distributed Enforcement throughout Network
Exec PC X X
Prod HRMS X
Switch Router DC FW DC Switch
HR Database
© 2012 Cisco and/or its affiliates. All rights reserved. 5
- 6. Device Type: Apple iPAD Classification Result:
User: Mary
Group: Employee Personal Asset SGT
Corporate Asset: No
ISE Profiling
Along with
authentication, various data
is sent to ISE for device
profiling ISE (Identity Services Engine)
SGT
Profiling Data
ID &
Security Group
Policy
DC Resource
Company asset NetFlow
DCHP
Access
DNS
HTTP
OUI
RADIUS
NMAP
SNMP
AP Wireless LAN
Controller Restricted
Employee
Internet Only
Personal asset Distributed
Enforcement
based on
Security Group
© 2012 Cisco and/or its affiliates. All rights reserved. 6
- 7. Classification ISE Directory
Fin Servers SGT = 4
Users, Device Enforcement
SGT:5 HR Servers SGT = 10
Switch Router DC FW DC Switch
SGT Propagation
TrustSec SGA is a context-based firewall or access control solution:
• Classification of systems/users based on context
(user role, device, location, access method)
• The context-based classification propagates using SGT
• SGT used by firewalls, routers and switches to make intelligent
forwarding or blocking decisions in the DC
© 2012 Cisco and/or its affiliates. All rights reserved. 7
- 8. Data Center
Core Layer
Stateful Firewalling
Initial filter for all ingress and egress
DC
Aggregation
Layer
Stateful Firewalling
Additional Firewall Services for server
DC Service
farm specific protection Layer
DC Access
Layer
Server Segmentation
IP-Based Access Control Lists
VLANs, Private VLANs Virtual Access
Physical Servers
Virtual Servers
© 2012 Cisco and/or its affiliates. All rights reserved. 8
- 9. NY
10.2.34.0/24
10.2.35.0/24
10.2.36.0/24
NY 10.3.102.0/24 DC-MTV (SRV1)
VPN 10.3.152.0/24 DC-MTV (SAP1)
UK 10.4.111.0/24
DC-RTP (SCM2)
….
SJC DC-RTP (ESXix)
Traditional ACL
or
Source Destination
FW Rules
permit NY to SRV1 for HTTPS
deny NY to SAP2 for SQL
deny NY to SCM2 forGlobal bank dedicates 24 global resources
A SSH
permit VPN to SRV1 for HTTPS
deny VPN to SAP1 for SQL
to manage for 3 source objects & 3 destination objects
ACL
Firewall rules currently
deny VPN to SCM2 for SSH
permit UK to SRV1 for HTTPS
deny UK to SAP1 for SQL
deny
Permit
UK
SJC
Complex Task and High OPEX Continues
to
to
SAP for SSH
SRV1 for HTTPS
deny SJC to SAP1 for SQL Adding source Object
deny SJC to SCM2
permit NY to ESXis for RDP
deny VPN to ESXis for RDP
Adding destination Object
deny UK to ESXis for RDP
deny SJC to ESXis for RDP
© 2012 Cisco and/or its affiliates. All rights reserved. 9
- 10. NY DC-MTV (SRV1)
VPN DC-MTV (SAP1)
UK DC-RTP (SCM2)
CA DC-RTP (ESXix)
Security Group
Filtering
Source SGT: Destination SGT:
Employee (10) Production Server (50)
permit from Employee / Server regardless of topology
Policy stays with User to Production Server eq HTTPS
deny Simpler Auditing Processto Lower OperationalServer eq SQL
from Employee Production Cost
deny from Employee to Production Server eq SSH
Simpler Security Operation Resource Optimization
(e.g. Global bank estimates 6 global resources with SGFW/SGACL)
Clear ROI in OPEX
© 2012 Cisco and/or its affiliates. All rights reserved. 10
- 11. Legacy Emerging
Accidental Architectures Data Center and Server Consolidation
Applications deployed in fixed Server Virtualization
positions (ex. multi-tier deployment) “Any workload on any server”
Predictable traffic flows Unpredictable traffic flows as
Security often deployed workloads migrate
to each pod or silo
© 2012 Cisco and/or its affiliates. All rights reserved. 11
- 12. Physical and Virtual Servers SegmentedVLAN? VLAN
App using
Policy Stays with VLAN or IP address, Not with Servers
Which Policy?
Web
Servers
Network Ops, Server Ops, and Security Ops are
App Servers Database
Web Server VLAN App VLAN
involved in Operation Cluster
Database VLAN DR
As the number of server grows…
Complexity and OPEX follow
© 2012 Cisco and/or its affiliates. All rights reserved. 12
- 13. Web Server SGT (10)
Application Server SGT (20)
Database Server SGT (30)
Server, Network, and Security Team share common security object
Policy Stays with Servers, Not based on Topology
Web Web App App DB DB
Works for both Physical and Virtual Servers
Production Server VLAN DR Cluster
permit tcp from src Web to dst App eq HTTPS
permit tcp from src App to dst DB eq SQL
deny any from src Web to dst
grows…
As the number of serversDB eq SQL
Management complexity and OPEX do not
© 2012 Cisco and/or its affiliates. All rights reserved. 13
- 14. • Supports VXI use case SGACL enabled Device
with Nexus 1000v SG Firewall enabled Device
VDI Connection
• Common classification Broker
and enforcement for Physical Servers
physical & virtual Campus
Network
environment
VDI Endpoint
• Simpler security
management for Nexus 1000v Virtual Servers
frequent VM Virtual Access
Hosted Virtual
provisioning Desktop (HVD)
• SGT assigned to
vEthernet port
UCS
© 2012 Cisco and/or its affiliates. All rights reserved. 14
- 15. Data Center
Core Layer
Security Group Firewalling
Firewall rule automation
using Security Group (ASA) DC
Aggregation
Layer
Security Group Firewalling
Firewall rule automation
DC Service
using Security Group (ASA) Layer
DC Access
Layer
Security Group ACLs
• Segmentation defined in a simple policy
table or matrix Virtual Access
• Applied across Nexus 7000/5500/2000
independent of the topology Physical Servers
Virtual Servers
SGACL enabled Device
SG Firewall enabled Device
© 2012 Cisco and/or its affiliates. All rights reserved. 15
- 16. DEPLOYMENT USE CASES
Healthcare: Ensure Privacy of Patient Data by Enforcing Roles Based
Access and Segmentation Across the Network
Retail: Intra Store Communication for Networked Devices While Ensuring
.
That Only Authorized Users and Devices Have Access to PCI Data
Technology: Allowing Approved Employee-Owned Tablets Access to
Internal Portals and Corporate App Store
Manufacturing: Marking Extranet Traffic to Allow PLC Vendor Remote
Access to Specific Manufacturing Zone Only, and Offshore Development
Partners Access to Development Servers Only
© 2012 Cisco and/or its affiliates. All rights reserved. 16
- 17. Classification
Policy
Management Catalyst 2K Catalyst 4K WLC (7.2) Nexus 7000 Nexus 1000v
Catalyst 3K Catalyst 6K Nexus 5000 (Q4CY12)
Identity Services Engine Enforcement
N7K / N5K Cat6K Cat3K-X ASA (SGFW) ASR1K/ISRG2
WLAN LAN Remote (SGACL) (SGACL) (SGACL) (SGFW)
Access
(roadmap)
Transport
Cat 2K-S (SXP) N7K (SXP/SGT) ASR1K (SXP/SGT)
Cat 3K (SXP) N5K (SGT) ISR G2 (SXP)
AnyConnect Cat 3K-X (SXP/SGT) N1Kv (SXP) - Q4CY12 ASA (SXP)
(Attribute provider) Cat 4K (SXP)
Cat 6K Sup2T (SXP/SGT)
© 2012 Cisco and/or its affiliates. All rights reserved. 17
- 18. Secure Efficient Demonstrable ROI
Embed security within Simplifies implementation Reduces ACL and VLAN
the infra of security policy complexity & maintenance
Enforcement based on Highly scalable Automates FW policy
rich context & Inline rate Improve both performance
Solution simplicity Simplifies Data Center & availability
enables end-to-end network design
approach
© 2012 Cisco and/or its affiliates. All rights reserved. 18